The Hacker News — Cyber Security, Hacking, Technology News

When you’re online, you expose your vulnerability to malicious virus that have been growing in virulence and ferocity over the last few years.

Among home PC users, you may think that you protected from malicious software by Installing an effective, trusted antivirus solution, but most if the Antivirus solutions still it merely finds and removes any known threats.

But what if someday you turn on your system and you will find a pop up window with a warning that says "Your system is Locked and Important drives are encrypted and there is no way out unless you will not Pay fine".

This is what Ransomware malware does to your system. Ransomware is the most serious emerging threat in the virtual world of computing devices. Ransomware is a kind of malware which is designed to Block access to the computing system or can lock your system until an amount of money is paid through Internet banking.

Ransomware is usually installed when you open a malicious attachment in an email message or when you click on a malicious link in an email message, instant message, a social networking site or other websites.

A new piece of ransomware is giving Internet users one more reason to think twice before they click a link in an email. You may have read about the Cryptolocker malware in our previous stories on The Hacker News, a new ransomware Trojan that encrypts your files and demands money to return them.

Cryptolocker has been infecting PCs around the world and effectively holding the files within for ransom. Cryptolocker first made an appearance last month. Malware Researcher 'Octavian Minea' from Bitdefender explains the detailed inner workings of the Cryptolocker Ransomware, lets have a look:

The Cryptolocker ransomware gets installed with the help of Zbot variant (Zbot, is a malware toolkit that allows a cybercriminal to build his own Trojan Horse. Zeus, which is sold on the black market, allows non-programmers to purchase the technology they need to carry out cybercrimes.) and after installation it immediately adds itself to the Startup folder with a random name. Then it tries to establish connection with its command and control server on remote location using the Internet and send a 192 byte encrypted packet:

Where {GROUP_NAME} seems to be related to the time of compilation of the malware and an example for {LOCATION_ID} is 'en-US'.

On successful connection, the server generates a pair of 2048-bit RSA public and private key and the malware receives only the public key and a newly generated Bitcoin address. For each victim, only the Cryptolocker authors have access to the decryption private keys.

The received information from the server gets stored in the system registry at:

HKEY_CURRENT_USER\Software\Cryptolocker_NUMBER\

Which contain the values PublicKey, Version Info with Bitcoin address and the command and control server address in an encrypted form.

Cryptolocker uses a solid encryption scheme as well, which so far appears unbreakable. It begins encrypting documents on any local or network storage drive, which are in any of these formats:

An AES key is generated for each file to be encrypted, the file is then AES-encrypted and the AES key is itself encrypted using the public key. The encrypted AES key is then appended to the encrypted file.

While the public key is stored on the computer, the private key is stored on the command-and-control server; CryptoLocker demands a payment with either a MoneyPak card or Bitcoin to recover the key and begin decrypting files, and threatens to delete the private key if a payment is not received within 3 days.

"Payment of the ransom can generally be performed in Bitcoins, although some Cryptolocker variants also accept payment methods Ukash, CashU or, only in the US of A, in Money Pack prepaid cards which can only be bought with cash. All these payment methods are practically anonymous." he said.

Due to the extremely large key size it uses, analysts and those affected by the worm have considered CryptoLocker to be extremely difficult to repair.

Users who have their files locked up by the ransomware are currently paying $300 to $700 to the criminals who run the virus to gain control of their computer. Once the victim pays the ransom, the transaction ID must be entered and purportedly verifications ensue. If a private key is sent by the server, it is added to the registry and the decryption process begins.

So far, there have been no reports of the hackers reinfecting a machine once the ransom has been paid. However, the attackers give you roughly three days to pay them, otherwise your data is gone forever, especially if they do not perform regular and off-site backups.

Today’s cybercriminals are using more sophisticated attacks, such as ransomware and spear phishing, which yield them more money per attack than ever before. A sample study of 1000 users by Symantec found India to be the ransomware capital of Asia Pacific with 11% victims of virtual extortion.

There are several free ways to help protect your computer against ransomware and other malware:

Make sure to keep all of the software on your computer up to date.

Make sure that automatic updating is turned on to get all the latest security updates.

Never open any attachment unless you know who it's from and why they are sending it.

If you're a daily computer user, you're likely aware of all the threats you face every day online in the form of viruses and malware.

CryptoLocker, a new ransomware malware, began making the rounds several months ago. This ransomware is particularly nasty because infected users are in danger of losing their personal files forever.

Ransomware is designed to extort money from computer users by holding computer files hostage until the computer user pays a ransom fee to get them back. The Cryptolocker hijacker sniffs out your personal files and wraps them with strong encryption before it demands money.

Cryptolocker is spread through malicious hyperlinks shared via social media and spam emails, like fake UPS tracking notification emails. The original demanded payments of $100 to decrypt files, but the new and improved version demanding $300 from victims.

Apparently, the encryption is created using a unique RSA-2048 public key. The decryption key is located on a secret server somewhere on the Internet and then there is a countdown on the infected machine which will let you know how long you have until this key will no longer be available.

Ransomware is not a new threat, but in the last year, it has become more effective and more popular with criminals. Researchers from a number of antivirus vendors are working on a way to undo the damage, but it's not going to be easy.

To prevent Ransomware from infecting your computer, please ensure that your computer has a properly configured firewall, updating each computer on a regular basis with the latest patches and updates from their vendor such as Microsoft, and restricting access solely to the administrator or person who operates the network or computer.

Update: Another Screenshot of the latest variant CryptoLocker illustrates that Ransomware accepts payment in Bitcoins also.

Once you send the payment of BTC2 (two Bitcoins, currently about $280), you will be shown a screen stating that your payment is being verified and the program will decrypt the files that it encrypted.

However, CryptoLocker is the first widely-reported instances where a ransomware program will actually go as far as permanently encrypting files on a host computer. Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files.

This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executable that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.

If you do not have System Restore enabled on your computer or reliable backups, then you will need to pay the ransom in order to get your files back.